SlideShare une entreprise Scribd logo

Software security delivered_in_the_cloud_fod_solution_guide_delivered_in_the_cloud_0911

Hassan Samusideen
Hassan Samusideen
FormationTechnologie
1  sur  8
Télécharger pour lire hors ligne
Software Security Delivered in the Cloud HP Fortify on Demand: The quickest, most affordable way to accurately test and score the security of any application Solution guide
Table of contents Executive summary 3 Testing third-party software 3 Testing internally developed software 3 How HP Fortify on Demand works 4 Correlation of static and dynamic results 6 Workflows 6 Three levels of dynamic testing 6 Security controls for HP Fortify on Demand 7 Product specifications 8 Integration with HP Fortify Software Security Center 8 Appendix: Fortify’s five-star security rating 8 2
Figure 1: The Executive Dashboard shows key results for your application testing projects from a single screen. Executive summary This document describes in detail how HP Fortify on Demand works and what it can accomplish for HP Fortify on Demand is a Security-as-a-Service (SaaS) companies seeking to test the security of their software. testing solution that allows any organization to test the security of software quickly, accurately, affordably, Testing third-party software and without any software to install or manage. This automated on-demand service helps organizations with HP Fortify on Demand helps address two key scenarios: two key challenges: 1. Vendor security management: Assessing third-party software • Ensuring the security of applications licensed from third For most organizations, third-party code represents a parties large percentage of deployed software, and therefore • Increasing the speed and efficiency of building a substantial area of potential risk. Yet most vendors security into a development lifecycle provide little or no visibility into the security state of their products. While improved vendor contracts can HP Fortify on Demand serves the role of an independent, provide some remedy in the case of a breach, ultimately third-party system of record, conducting a consistent, it’s better to avoid the problem altogether. Companies unbiased analysis of an application and providing a should ensure their third-party software is tested for detailed tamper-proof report back to the security team. vulnerabilities during the procurement or upgrade Users simply upload their application binaries and/or process, and request that critical issues be addressed provide a URL for testing. HP Fortify on Demand can prior to acceptance. However, software vendors are, for conduct a static and/or dynamic test, verify all results, a variety of reasons, resistant to having their software and present correlated findings in a detailed interface analyzed by anyone but themselves. Vendors are and report. concerned about providing access to their most precious HP Fortify on Demand leverages the market-leading intellectual property—their source code. HP Fortify on static analysis technology, HP Fortify Static Code Demand provides an easy-to-use SaaS-based approach Analyzer (SCA) software, and the award-winning that doesn’t require source code and allows the vendor dynamic analysis technology, HP WebInspect software. to test applications, resolve issues, and then publish a Organizations can view security vulnerabilities in one report to the procurer. HP Fortify on Demand serves as single dashboard, without installing software on- an independent third-party and system of record for premise. HP Fortify on Demand is a highly secure SaaS conducting a consistent, unbiased analysis. environment with robust security controls that assure all sensitive uploads and other intellectual property remain Testing internally developed software uncompromised. 2. Enterprise assessment management: Assessing internal applications Figure 2: HP Fortify on Demand won the “Best Security With internally developed applications, HP Fortify on Solution” CODiE Award. Demand helps in two ways. For companies with a secure development lifecycle already in place, HP Fortify on Demand can provide a final test before deployment. For organizations new to security, HP Fortify on Demand can provide a quick and accurate test to baseline applications and prioritize efforts to improve application security. 3
“HP technology identifies potential security threats in software through very deep analysis that ensures the software is safe to deploy and the sensitive data and application behavior cannot be compromised by hackers. HP Fortify on Demand is very easy to use and gives great pointers on where a vulnerability is rooted in the code so it can be quickly fixed.” Anurag Khemka, President and CEO, RightWave, Inc. How HP Fortify on Demand works HP Fortify on Demand supports 16 different languages— see “product specifications” on the last page for the HP Fortify on Demand tests the security of in-house or complete list. third-party applications in four easy steps: For dynamic analysis the user provides the URL for the 1. Login and upload applications application and any credentials necessary to access the A new HP Fortify on Demand customer is given a private site. If the application is not externally facing, HP Fortify account with secure login credentials. Role-based access on Demand can install a satellite appliance onsite, from control allows administrators to see all projects and which the testing can run. HP can use a VPN client to individual contributors to view only their projects. In gain access to the internal site. the case of testing a vendor’s application, HP gives the vendor an entirely separate account. 2. Comprehensive testing HP Fortify on Demand provides comprehensive and The user has the ability to kick off a static scan of the accurate testing. The static analysis leverages the application code or a dynamic scan of a running web solution’s extensive Secure Coding Rulepacks, six application. analysis engines, and patented X-Tier Dataflow analysis For static analysis, the user uploads the executable to cover 100 percent of the code. The dynamic analysis version of an application. HP Fortify on Demand leverages HP WebInspect. Dynamic testing experts from doesn’t require source code. Examples of what may be HP combine automated and manual testing on a web uploaded include: application that’s up and running. When the power of both whitebox and blackbox security testing is applied • A WAR or EAR file for Java to a web application, it results in a comprehensive • A zip file of MSILs for .NET analysis of an application’s security posture. • A zip file of the source files for PHP Figure 3: Shown are the three key steps of the HP Fortify on Demand process. 1. 2. 3. Upload Review Test Customer uploads HP Fortify on Demand conducts a thorough Customer reviews and analyzes the software to the Cloud. application security test (dynamic, static or results of the application test in the form manual) on the application. of a detailed report or dashboard. 4
After testing is complete, a software security auditor The user can also generate a detailed report, which with a background in development and security reviews includes a wealth of information about the application, the result set for accuracy. If there are any false positives, including the following: the auditor removes these issues. If custom rules can • Application description provides an overview on the be written to tailor the analysis to each individual type of application, its language, use case, data application, the auditor will write these rules and then sensitivity and version. re-test the application. • HP Fortify Security on Demand Rating demonstrates 3. Results released quickly the application’s overall level of security. This is based HP Fortify on Demand releases results as soon as they on a five-star rating system. One star represents are ready. Static analysis results typically finish in one an application with significant security issues and day, regardless of the application’s size. Dynamic five stars represent an application with no detected analysis results may take longer, depending on the vulnerabilities. A full description of the rating system size and complexity of the application. can be found in the appendix of this document. Once testing and reviews are complete, HP Fortify • Prioritized set of vulnerabilities shows how many on Demand emails the user and communicates that the critical, high, medium and low-priority issues were results are ready. A user can login and view correlated found. and prioritized results. • Remediation roadmap shows the effort it will take to improve the security rating. Figure 4: This executive summary page of the report provides an overview of the security test. • Vulnerabilities by attack vector shows how each identified vulnerability could be exploited. • Most common vulnerabilities demonstrate what vulnerabilities are most prevalent. • Vulnerabilities by category includes a full list of all vulnerabilities based on their type. • Vulnerability details includes a complete list of all vulnerabilities, with details about each. HP Fortify on Demand provides helpful details about each vulnerability, including the filename and line of code (if the vulnerability was found statically), and the URL, request, response and parameters (if the vulnerability was found dynamically). • Remediation guidance describes how each vulnerability could be exploited and how to remediate it. • PCI report helps companies demonstrate compliance with the Payment Card Industry (PCI) Data Security Standards (DSS). • OWASP Top 10 shows all issues that fall in the OWASP Top 10. 5
Figure 5: This summary view shows all issues identified based on the type of vulnerability, and whether they were found via static analysis (blue) or dynamic analysis (yellow). Correlation of static and dynamic results −−HP conducts thorough testing and works with the vendor to resolve issues. HP Fortify on Demand is the only SaaS-based solution −−When ready, the vendor publishes a summary report to offer true correlation of static and dynamic results. If to the procurer, demonstrating the security posture of a customer selects both a static and dynamic scan of an the application. application, all results will be correlated in order to help prioritize issues and reduce the time to investigate and • Working with internal developers, quality assurance fix issues. (QA) professionals or security managers to ensure internally developed code is secure: If the same type of vulnerability is found at the same URL −−Security managers provide logins to all HP Fortify both statically and dynamically, HP Fortify on Demand on Demand users (most likely developers or security automatically puts these results together, helping users auditors). investigate issues more easily and prioritize efforts. −−Each user logs in and uploads the application and/ The HP Fortify on Demand dashboard also provides or provides a URL. summary correlation information, showing which −−HP conducts thorough testing and releases results. vulnerabilities were found only statically, only dynamically, or with both analysis techniques. This −−All results are summarized in one core dashboard. summary information helps present the relative To speed the process and keep customers informed of importance and value of each technique. In some cases status, HP Fortify on Demand sends email notifications the overlap between the two testing methodologies is whenever an application has been uploaded and when very high, while at other times the overlap is minimal. results are ready for viewing. Only HP Fortify on Demand provides true correlation, helping a company understand what the tests are finding Three levels of dynamic testing and speed the time to remediation. HP Fortify on Demand offers multiple options for licensing. For both static and dynamic analysis, a user Workflows can purchase individual scans or one-year subscriptions for unlimited scanning per application. For dynamic HP Fortify on Demand has two core uses cases—working analysis, a user can choose among three different testing with third parties to assess third-party code and working levels (Premium, Standard or Baseline). Each is designed with internal developers or security managers to ensure for different use cases and offers varying levels of internally developed code is secure. The workflow is testing. A description of each is below: very similar in both cases. Below is an overview of both workflows: • Premium • Working with third parties to assure that their software −−An automated and manual testing solution for is secure: websites that are permanent, mission-critical, have −−The vendor and the procurer receive separate HP rigorous compliance requirements, and in which the Fortify on Demand accounts and establish a secure company relies on serving its customers or business link between their accounts. partners and has multi-step form-based processes −−The vendor uploads its executable and/or provides −−Includes testing for both technical and business logic a URL. vulnerabilities 6
HP Fortify on Demand key advantages • Best-of-breed static and dynamic analysis • True correlation between static- and dynamic-analysis results • All results manually reviewed by application security experts • Flexibility for customers to easily migrate to on-premise solution • Experienced security research team −−Uncovering business logic vulnerabilities requires • Baseline manual review by website security experts −−An automated solution for websites that are seasonal who are capable of understanding things like or temporary in nature account structures and the contextual logic in web −−All results are manually reviewed by security experts applications to remove any false positives −−All results are manually reviewed by security experts to remove any false positives Security controls for HP Fortify on • Standard Demand −−An automated solution for websites that are a HP Fortify on Demand was designed and developed permanent fixture in a customer’s online experience following industry best practices for secure SaaS solution and have multi-step form-based processes, but are deployment. not necessarily mission-critical −−Includes testing for technical vulnerabilities The solution is physically housed in a Tier 4 A+ datacenter featuring multiple redundant power and −−Includes the use of multiple automated and manual network feeds and “five nines” uptime. The datacenter testing solutions is compliant with SAS 70 Type II, ITIL, ISO-17799 −−All results are manually reviewed by security experts and SunTone. It has 24x7x365 security using closed- to remove any false positives circuit television (CCTV). All datacenter employees are background-checked and all access is supervised. All Figure 6: This table shows a comparison of the three testing levels of dynamic analysis doors require PIN, magnetic card and biometric retina available via HP Fortify on Demand. scans before granting access. The datacenter has redundant power systems with backup generators and HP Fortify on Demand Dynamic Baseline Standard Premium double-conversion uninterruptible power supplies (UPSs). Kickoff HP Fortify on Demand features world-class software Planning objectives x x x security built with the same technology as HP Fortify Credentials x x x Software Security Center, including hardened operating Prepare environment x x x systems and open-source components. Independent third-party consulting firms conduct code reviews and Prepare pen tests on every major release. Create login script x x x Scan configuration x x x HP Fortify on Demand has browser-to-system Secure Sockets Layer (SSL) encryption for data protection. All Application discovery x x x data, including intellectual property and analysis results, Application discovery with manual crawl x x is encrypted with data-at-rest encryption technologies. Execute All hard drives and storage systems are useless outside Automated application scanning x x x the HP Fortify datacenter environment. False positive removal x x x A virtual private database is used to ensure separation Bypass client controls x x between customers. The database is setup as a virtual Attack authentication x x per-client relational database management system Attack session management x x (RDBMS) instance with database encryption, ensuring that users can only access their own data in their own Attack access control x x database. Injection attack x x Attack server, or hijack user privileges x x For more information on the security of HP Fortify on Demand, please see the whitepaper, “HP Fortify on Advance fuzzing x Demand: Security Controls in Place,” available upon Application logic x request (taylor.mckinley@hp.com). Manual penetration test x Report Summary x x x Recommendations x x x 7
Product specifications Appendix: Fortify’s five-star • Language support security rating −−For static analysis: HP Fortify on Demand prioritizes all identified issues −−Any applications written in Java, ASP.NET, C#, into four risk quadrants: critical, high, medium and low. VB.NET, PHP, COBOL, ColdFusion, Classic ASP, Membership in each quadrant is determined by whether VB6, VBScript, JavaScript/Ajax, JSP, Python, PL/ the finding has a high or low impact and high or low SQL, T-SQL and XML/HTML likelihood. −−For dynamic analysis: Impact is the potential damage rendered to assets upon −−Any web application vulnerability exploitation. This damage may be in the form of, but not limited to, financial loss, compliance −−Externally facing applications can be accessed violation, brand/public-relations damage or loss of life. directly −−Internally facing applications can be accessed Likelihood is a measure combining the accuracy of the using client VPN, HP Appliance, or HP software result and the potential for exploit. sensor The HP Fortify on Demand Rating provides summary Integration with HP Fortify Software information on the nature of risk inherent in the application. A perfect rating within this system would Security Center be five stars, indicating that no vulnerabilities were To ensure a secure development process throughout the uncovered. software development lifecycle, a company may elect to • 1 Star: HP Fortify awards one star to projects bring this testing technology in-house, using it as early that undergo an HP Fortify security review, which and as often as needed. This approach allows users to analyzes a project for a variety of software security integrate software security assessment into their build vulnerabilities. systems, bug-tracking systems, integrated development environments (IDEs) and more. At any point in time, • 2 Stars: HP Fortify awards two stars to projects that HP Fortify on Demand customers can migrate their undergo an HP Fortify security review that identifies data over to HP Fortify Software Security Center, the no high-impact/high-likelihood issues. Vulnerabilities market-leading suite of solutions for Software Security that are trivial to exploit and have a high business or Assurance (SSA). HP Fortify Software Security Center technical impact should never exist in business-critical helps integrate security into the software development software. lifecycle. In most cases, customers who choose to use • 3 Stars: HP Fortify awards three stars to projects HP Fortify on Demand over time transition some or all that undergo an HP Fortify security review that of these licenses to HP Fortify Software Security Center identifies no high-impact/low-likelihood issues and for use as a complete solution in-house for application meets the requirements needed to receive two stars. development teams. If a company chooses to do this, all Vulnerabilities that have a high impact, even if they data is easily migrated via a quick download. are non-trivial to exploit, should never exist in business- Conclusion critical software. HP Fortify on Demand helps users achieve their software • 4 Stars: HP Fortify awards four stars to projects that security assessment objectives by providing a robust undergo an HP Fortify security review that identifies application-testing environment. Internal and third-party no low-impact/high-likelihood issues and meets software becomes subject to comprehensive security the requirements for three stars. Vulnerabilities that reviews that are quick, accurate and affordable. This have a low impact, but are easy to exploit, should fully hosted SaaS offering uses the same award-winning be considered carefully as they may pose a greater analysis technology as the market-leading HP Fortify threat if an attacker exploits many of them as part of a Software Security Center, making it easy for customers to concerted effort or leverages a low-impact vulnerability graduate from assessment to remediation and prevention as a stepping stone to mount a high-impact attack. as part of a robust software security assurance program. • 5 Stars: HP Fortify awards five stars to projects that undergo an HP Fortify security review that identifies no issues. © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Created June 2011

Recommandé

Fortify - Source Code Analyzer
Fortify - Source Code AnalyzerFortify - Source Code Analyzer
Fortify - Source Code Analyzern|u - The Open Security Community
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture CodeSkeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 

Recommandé

Fortify - Source Code Analyzer
Fortify - Source Code AnalyzerFortify - Source Code Analyzer
Fortify - Source Code Analyzern|u - The Open Security Community
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture CodeSkeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfSarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...RKavithamani
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 

Contenu connexe

Dernier

“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...RKavithamani
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 

Dernier (20)

“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 

En vedette

Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at WorkGetSmarter
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...DevGAMM Conference
 
Barbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationErica Santiago
 
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellGood Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellSaba Software
 

En vedette (20)

Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
 
Barbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy Presentation
 
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellGood Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
 

Software security delivered_in_the_cloud_fod_solution_guide_delivered_in_the_cloud_0911

  • 1. Software Security Delivered in the Cloud HP Fortify on Demand: The quickest, most affordable way to accurately test and score the security of any application Solution guide
  • 2. Table of contents Executive summary 3 Testing third-party software 3 Testing internally developed software 3 How HP Fortify on Demand works 4 Correlation of static and dynamic results 6 Workflows 6 Three levels of dynamic testing 6 Security controls for HP Fortify on Demand 7 Product specifications 8 Integration with HP Fortify Software Security Center 8 Appendix: Fortify’s five-star security rating 8 2
  • 3. Figure 1: The Executive Dashboard shows key results for your application testing projects from a single screen. Executive summary This document describes in detail how HP Fortify on Demand works and what it can accomplish for HP Fortify on Demand is a Security-as-a-Service (SaaS) companies seeking to test the security of their software. testing solution that allows any organization to test the security of software quickly, accurately, affordably, Testing third-party software and without any software to install or manage. This automated on-demand service helps organizations with HP Fortify on Demand helps address two key scenarios: two key challenges: 1. Vendor security management: Assessing third-party software • Ensuring the security of applications licensed from third For most organizations, third-party code represents a parties large percentage of deployed software, and therefore • Increasing the speed and efficiency of building a substantial area of potential risk. Yet most vendors security into a development lifecycle provide little or no visibility into the security state of their products. While improved vendor contracts can HP Fortify on Demand serves the role of an independent, provide some remedy in the case of a breach, ultimately third-party system of record, conducting a consistent, it’s better to avoid the problem altogether. Companies unbiased analysis of an application and providing a should ensure their third-party software is tested for detailed tamper-proof report back to the security team. vulnerabilities during the procurement or upgrade Users simply upload their application binaries and/or process, and request that critical issues be addressed provide a URL for testing. HP Fortify on Demand can prior to acceptance. However, software vendors are, for conduct a static and/or dynamic test, verify all results, a variety of reasons, resistant to having their software and present correlated findings in a detailed interface analyzed by anyone but themselves. Vendors are and report. concerned about providing access to their most precious HP Fortify on Demand leverages the market-leading intellectual property—their source code. HP Fortify on static analysis technology, HP Fortify Static Code Demand provides an easy-to-use SaaS-based approach Analyzer (SCA) software, and the award-winning that doesn’t require source code and allows the vendor dynamic analysis technology, HP WebInspect software. to test applications, resolve issues, and then publish a Organizations can view security vulnerabilities in one report to the procurer. HP Fortify on Demand serves as single dashboard, without installing software on- an independent third-party and system of record for premise. HP Fortify on Demand is a highly secure SaaS conducting a consistent, unbiased analysis. environment with robust security controls that assure all sensitive uploads and other intellectual property remain Testing internally developed software uncompromised. 2. Enterprise assessment management: Assessing internal applications Figure 2: HP Fortify on Demand won the “Best Security With internally developed applications, HP Fortify on Solution” CODiE Award. Demand helps in two ways. For companies with a secure development lifecycle already in place, HP Fortify on Demand can provide a final test before deployment. For organizations new to security, HP Fortify on Demand can provide a quick and accurate test to baseline applications and prioritize efforts to improve application security. 3
  • 4. “HP technology identifies potential security threats in software through very deep analysis that ensures the software is safe to deploy and the sensitive data and application behavior cannot be compromised by hackers. HP Fortify on Demand is very easy to use and gives great pointers on where a vulnerability is rooted in the code so it can be quickly fixed.” Anurag Khemka, President and CEO, RightWave, Inc. How HP Fortify on Demand works HP Fortify on Demand supports 16 different languages— see “product specifications” on the last page for the HP Fortify on Demand tests the security of in-house or complete list. third-party applications in four easy steps: For dynamic analysis the user provides the URL for the 1. Login and upload applications application and any credentials necessary to access the A new HP Fortify on Demand customer is given a private site. If the application is not externally facing, HP Fortify account with secure login credentials. Role-based access on Demand can install a satellite appliance onsite, from control allows administrators to see all projects and which the testing can run. HP can use a VPN client to individual contributors to view only their projects. In gain access to the internal site. the case of testing a vendor’s application, HP gives the vendor an entirely separate account. 2. Comprehensive testing HP Fortify on Demand provides comprehensive and The user has the ability to kick off a static scan of the accurate testing. The static analysis leverages the application code or a dynamic scan of a running web solution’s extensive Secure Coding Rulepacks, six application. analysis engines, and patented X-Tier Dataflow analysis For static analysis, the user uploads the executable to cover 100 percent of the code. The dynamic analysis version of an application. HP Fortify on Demand leverages HP WebInspect. Dynamic testing experts from doesn’t require source code. Examples of what may be HP combine automated and manual testing on a web uploaded include: application that’s up and running. When the power of both whitebox and blackbox security testing is applied • A WAR or EAR file for Java to a web application, it results in a comprehensive • A zip file of MSILs for .NET analysis of an application’s security posture. • A zip file of the source files for PHP Figure 3: Shown are the three key steps of the HP Fortify on Demand process. 1. 2. 3. Upload Review Test Customer uploads HP Fortify on Demand conducts a thorough Customer reviews and analyzes the software to the Cloud. application security test (dynamic, static or results of the application test in the form manual) on the application. of a detailed report or dashboard. 4
  • 5. After testing is complete, a software security auditor The user can also generate a detailed report, which with a background in development and security reviews includes a wealth of information about the application, the result set for accuracy. If there are any false positives, including the following: the auditor removes these issues. If custom rules can • Application description provides an overview on the be written to tailor the analysis to each individual type of application, its language, use case, data application, the auditor will write these rules and then sensitivity and version. re-test the application. • HP Fortify Security on Demand Rating demonstrates 3. Results released quickly the application’s overall level of security. This is based HP Fortify on Demand releases results as soon as they on a five-star rating system. One star represents are ready. Static analysis results typically finish in one an application with significant security issues and day, regardless of the application’s size. Dynamic five stars represent an application with no detected analysis results may take longer, depending on the vulnerabilities. A full description of the rating system size and complexity of the application. can be found in the appendix of this document. Once testing and reviews are complete, HP Fortify • Prioritized set of vulnerabilities shows how many on Demand emails the user and communicates that the critical, high, medium and low-priority issues were results are ready. A user can login and view correlated found. and prioritized results. • Remediation roadmap shows the effort it will take to improve the security rating. Figure 4: This executive summary page of the report provides an overview of the security test. • Vulnerabilities by attack vector shows how each identified vulnerability could be exploited. • Most common vulnerabilities demonstrate what vulnerabilities are most prevalent. • Vulnerabilities by category includes a full list of all vulnerabilities based on their type. • Vulnerability details includes a complete list of all vulnerabilities, with details about each. HP Fortify on Demand provides helpful details about each vulnerability, including the filename and line of code (if the vulnerability was found statically), and the URL, request, response and parameters (if the vulnerability was found dynamically). • Remediation guidance describes how each vulnerability could be exploited and how to remediate it. • PCI report helps companies demonstrate compliance with the Payment Card Industry (PCI) Data Security Standards (DSS). • OWASP Top 10 shows all issues that fall in the OWASP Top 10. 5
  • 6. Figure 5: This summary view shows all issues identified based on the type of vulnerability, and whether they were found via static analysis (blue) or dynamic analysis (yellow). Correlation of static and dynamic results −−HP conducts thorough testing and works with the vendor to resolve issues. HP Fortify on Demand is the only SaaS-based solution −−When ready, the vendor publishes a summary report to offer true correlation of static and dynamic results. If to the procurer, demonstrating the security posture of a customer selects both a static and dynamic scan of an the application. application, all results will be correlated in order to help prioritize issues and reduce the time to investigate and • Working with internal developers, quality assurance fix issues. (QA) professionals or security managers to ensure internally developed code is secure: If the same type of vulnerability is found at the same URL −−Security managers provide logins to all HP Fortify both statically and dynamically, HP Fortify on Demand on Demand users (most likely developers or security automatically puts these results together, helping users auditors). investigate issues more easily and prioritize efforts. −−Each user logs in and uploads the application and/ The HP Fortify on Demand dashboard also provides or provides a URL. summary correlation information, showing which −−HP conducts thorough testing and releases results. vulnerabilities were found only statically, only dynamically, or with both analysis techniques. This −−All results are summarized in one core dashboard. summary information helps present the relative To speed the process and keep customers informed of importance and value of each technique. In some cases status, HP Fortify on Demand sends email notifications the overlap between the two testing methodologies is whenever an application has been uploaded and when very high, while at other times the overlap is minimal. results are ready for viewing. Only HP Fortify on Demand provides true correlation, helping a company understand what the tests are finding Three levels of dynamic testing and speed the time to remediation. HP Fortify on Demand offers multiple options for licensing. For both static and dynamic analysis, a user Workflows can purchase individual scans or one-year subscriptions for unlimited scanning per application. For dynamic HP Fortify on Demand has two core uses cases—working analysis, a user can choose among three different testing with third parties to assess third-party code and working levels (Premium, Standard or Baseline). Each is designed with internal developers or security managers to ensure for different use cases and offers varying levels of internally developed code is secure. The workflow is testing. A description of each is below: very similar in both cases. Below is an overview of both workflows: • Premium • Working with third parties to assure that their software −−An automated and manual testing solution for is secure: websites that are permanent, mission-critical, have −−The vendor and the procurer receive separate HP rigorous compliance requirements, and in which the Fortify on Demand accounts and establish a secure company relies on serving its customers or business link between their accounts. partners and has multi-step form-based processes −−The vendor uploads its executable and/or provides −−Includes testing for both technical and business logic a URL. vulnerabilities 6
  • 7. HP Fortify on Demand key advantages • Best-of-breed static and dynamic analysis • True correlation between static- and dynamic-analysis results • All results manually reviewed by application security experts • Flexibility for customers to easily migrate to on-premise solution • Experienced security research team −−Uncovering business logic vulnerabilities requires • Baseline manual review by website security experts −−An automated solution for websites that are seasonal who are capable of understanding things like or temporary in nature account structures and the contextual logic in web −−All results are manually reviewed by security experts applications to remove any false positives −−All results are manually reviewed by security experts to remove any false positives Security controls for HP Fortify on • Standard Demand −−An automated solution for websites that are a HP Fortify on Demand was designed and developed permanent fixture in a customer’s online experience following industry best practices for secure SaaS solution and have multi-step form-based processes, but are deployment. not necessarily mission-critical −−Includes testing for technical vulnerabilities The solution is physically housed in a Tier 4 A+ datacenter featuring multiple redundant power and −−Includes the use of multiple automated and manual network feeds and “five nines” uptime. The datacenter testing solutions is compliant with SAS 70 Type II, ITIL, ISO-17799 −−All results are manually reviewed by security experts and SunTone. It has 24x7x365 security using closed- to remove any false positives circuit television (CCTV). All datacenter employees are background-checked and all access is supervised. All Figure 6: This table shows a comparison of the three testing levels of dynamic analysis doors require PIN, magnetic card and biometric retina available via HP Fortify on Demand. scans before granting access. The datacenter has redundant power systems with backup generators and HP Fortify on Demand Dynamic Baseline Standard Premium double-conversion uninterruptible power supplies (UPSs). Kickoff HP Fortify on Demand features world-class software Planning objectives x x x security built with the same technology as HP Fortify Credentials x x x Software Security Center, including hardened operating Prepare environment x x x systems and open-source components. Independent third-party consulting firms conduct code reviews and Prepare pen tests on every major release. Create login script x x x Scan configuration x x x HP Fortify on Demand has browser-to-system Secure Sockets Layer (SSL) encryption for data protection. All Application discovery x x x data, including intellectual property and analysis results, Application discovery with manual crawl x x is encrypted with data-at-rest encryption technologies. Execute All hard drives and storage systems are useless outside Automated application scanning x x x the HP Fortify datacenter environment. False positive removal x x x A virtual private database is used to ensure separation Bypass client controls x x between customers. The database is setup as a virtual Attack authentication x x per-client relational database management system Attack session management x x (RDBMS) instance with database encryption, ensuring that users can only access their own data in their own Attack access control x x database. Injection attack x x Attack server, or hijack user privileges x x For more information on the security of HP Fortify on Demand, please see the whitepaper, “HP Fortify on Advance fuzzing x Demand: Security Controls in Place,” available upon Application logic x request (taylor.mckinley@hp.com). Manual penetration test x Report Summary x x x Recommendations x x x 7
  • 8. Product specifications Appendix: Fortify’s five-star • Language support security rating −−For static analysis: HP Fortify on Demand prioritizes all identified issues −−Any applications written in Java, ASP.NET, C#, into four risk quadrants: critical, high, medium and low. VB.NET, PHP, COBOL, ColdFusion, Classic ASP, Membership in each quadrant is determined by whether VB6, VBScript, JavaScript/Ajax, JSP, Python, PL/ the finding has a high or low impact and high or low SQL, T-SQL and XML/HTML likelihood. −−For dynamic analysis: Impact is the potential damage rendered to assets upon −−Any web application vulnerability exploitation. This damage may be in the form of, but not limited to, financial loss, compliance −−Externally facing applications can be accessed violation, brand/public-relations damage or loss of life. directly −−Internally facing applications can be accessed Likelihood is a measure combining the accuracy of the using client VPN, HP Appliance, or HP software result and the potential for exploit. sensor The HP Fortify on Demand Rating provides summary Integration with HP Fortify Software information on the nature of risk inherent in the application. A perfect rating within this system would Security Center be five stars, indicating that no vulnerabilities were To ensure a secure development process throughout the uncovered. software development lifecycle, a company may elect to • 1 Star: HP Fortify awards one star to projects bring this testing technology in-house, using it as early that undergo an HP Fortify security review, which and as often as needed. This approach allows users to analyzes a project for a variety of software security integrate software security assessment into their build vulnerabilities. systems, bug-tracking systems, integrated development environments (IDEs) and more. At any point in time, • 2 Stars: HP Fortify awards two stars to projects that HP Fortify on Demand customers can migrate their undergo an HP Fortify security review that identifies data over to HP Fortify Software Security Center, the no high-impact/high-likelihood issues. Vulnerabilities market-leading suite of solutions for Software Security that are trivial to exploit and have a high business or Assurance (SSA). HP Fortify Software Security Center technical impact should never exist in business-critical helps integrate security into the software development software. lifecycle. In most cases, customers who choose to use • 3 Stars: HP Fortify awards three stars to projects HP Fortify on Demand over time transition some or all that undergo an HP Fortify security review that of these licenses to HP Fortify Software Security Center identifies no high-impact/low-likelihood issues and for use as a complete solution in-house for application meets the requirements needed to receive two stars. development teams. If a company chooses to do this, all Vulnerabilities that have a high impact, even if they data is easily migrated via a quick download. are non-trivial to exploit, should never exist in business- Conclusion critical software. HP Fortify on Demand helps users achieve their software • 4 Stars: HP Fortify awards four stars to projects that security assessment objectives by providing a robust undergo an HP Fortify security review that identifies application-testing environment. Internal and third-party no low-impact/high-likelihood issues and meets software becomes subject to comprehensive security the requirements for three stars. Vulnerabilities that reviews that are quick, accurate and affordable. This have a low impact, but are easy to exploit, should fully hosted SaaS offering uses the same award-winning be considered carefully as they may pose a greater analysis technology as the market-leading HP Fortify threat if an attacker exploits many of them as part of a Software Security Center, making it easy for customers to concerted effort or leverages a low-impact vulnerability graduate from assessment to remediation and prevention as a stepping stone to mount a high-impact attack. as part of a robust software security assurance program. • 5 Stars: HP Fortify awards five stars to projects that undergo an HP Fortify security review that identifies no issues. © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Created June 2011